[wp-trac] [WordPress Trac] #56471: TinyMCE version 4.9.11 is full of known XSS vulnerabilities
WordPress Trac
noreply at wordpress.org
Wed Aug 31 08:03:11 UTC 2022
#56471: TinyMCE version 4.9.11 is full of known XSS vulnerabilities
-----------------------------+-----------------------------
Reporter: jkfoiztmcjeikfp | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: TinyMCE | Version:
Severity: major | Keywords:
Focuses: javascript |
-----------------------------+-----------------------------
A Whitesource Scan of the WordPress Core files results in several
findings:
- A cross-site scripting (XSS) vulnerability was discovered in the schema
validation logic of the core parser. The vulnerability allowed arbitrary
JavaScript execution when inserting a specially crafted piece of content
into the editor using the clipboard or editor APIs. This malicious content
could then end up in content published outside the editor, if no server-
side sanitization was performed. This impacts all users who are using
TinyMCE 5.8.2 or lower.
- A cross-site scripting (XSS) vulnerability was discovered in the URL
processing logic of the image and link plugins. The vulnerability allowed
arbitrary JavaScript execution when updating an image or link using a
specially crafted URL. The issue only impacted users while editing and the
dangerous URL were stripped in any content extracted from the editor. This
impacts all users who are using TinyMCE 5.9.2 or lower.
- A cross-site scripting (XSS) vulnerability was discovered in the URL
sanitization logic of the core parser of TinyMCE. The vulnerability
allowed arbitrary JavaScript execution when inserting a specially crafted
piece of content into the editor using the clipboard or APIs. This impacts
all users who are using TinyMCE 5.5.1 or lower.
- Cross-site scripting vulnerability was found in TinyMCE before 5.7.1. A
cross-site scripting vulnerability was discovered in the URL sanitization
logic of the core parser for form elements. The vulnerability allowed
arbitrary JavaScript execution when inserting a specially crafted piece of
content into the editor using clipboard or APIs, and then submitting the
form. However, as TinyMCE does not allow forms to be submitted while
editing, the vulnerability could only be triggered when the content was
previewed or rendered outside the editor.
While these issues might not (all) seem severe, they are making it hard to
use WordPress in an enterprise-context where there are Whitesource Scans
and teams in place to hold you accountable for security findings. If only
that, they are very bad publicity.
I realize a TinyMCE upgrade has its challenges, but as shown above, also
has great rewards.
I did not use the HackerOne program, because these are known (and fixed)
vulnerabilities.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56471>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list